From 80ceacaa78213c3e1f2deed5b23080df30872f01 Mon Sep 17 00:00:00 2001
From: Boris Cherny <boris@anthropic.com>
Date: Mon, 18 Aug 2025 09:56:56 -0700
Subject: [PATCH] Re-add log-issue-events workflow with security fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Re-implements the workflow removed in #5919, but with proper security:
- All GitHub event data is now passed via environment variables
- No direct templating of values into shell commands
- Prevents remote code execution through malicious issue titles
- Still escapes quotes in JSON payload for proper formatting

This fixes the security vulnerability while maintaining the functionality
of logging issue creation events to Statsig.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/log-issue-events.yml | 40 ++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/log-issue-events.yml

diff --git a/.github/workflows/log-issue-events.yml b/.github/workflows/log-issue-events.yml
new file mode 100644
index 00000000..c3fd0c86
--- /dev/null
+++ b/.github/workflows/log-issue-events.yml
@@ -0,0 +1,40 @@
+name: Log Issue Events to Statsig
+
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  log-to-statsig:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: read
+    steps:
+      - name: Log issue creation to Statsig
+        env:
+          STATSIG_API_KEY: ${{ secrets.STATSIG_API_KEY }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          AUTHOR: ${{ github.event.issue.user.login }}
+          CREATED_AT: ${{ github.event.issue.created_at }}
+        run: |
+          # All values are now safely passed via environment variables
+          # No direct templating in the shell script to prevent injection attacks
+          
+          curl -X POST "https://events.statsigapi.net/v1/log_event" \
+            -H "Content-Type: application/json" \
+            -H "statsig-api-key: $STATSIG_API_KEY" \
+            -d '{
+              "events": [{
+                "eventName": "github_issue_created",
+                "metadata": {
+                  "issue_number": "'"$ISSUE_NUMBER"'",
+                  "repository": "'"$REPO"'",
+                  "title": "'"$(echo "$ISSUE_TITLE" | sed "s/\"/\\\\\"/g")"'",
+                  "author": "'"$AUTHOR"'",
+                  "created_at": "'"$CREATED_AT"'"
+                },
+                "time": '"$(date +%s)000"'
+              }]
+            }'
\ No newline at end of file